Today though, I'm going to put on my security hat and discuss intrusion detection. Intrusion philosophy has gone through a big shift over the past few years. It used to be that we just had to worry about the perimeter, but now we need to worry about other devices on the network. The current posture is to trust nothing. Your own network is not safe.

When I went to GrrCon last October, David Kennedy (TrustedSec) gave a keynote and mentioned a piece of software called Artillery. Now, Honeypots have always intrigued me, but I'm no security researcher. Nor am I a well-versed in the used of Linux, for that matter. It seems to me that most of the more robust honeypots are overkill for what I wanted, which is basically a booby trap on my network to tell me if anything tries to connect to it. This is the reason that "Honeypot" is in quotes in the title. Artillery isn't a full-blown honeypot.

In my case, Artillery helps by alerting me if someone is snooping around where they shouldn't, or if I have something arbitrarily working its way through my systems; an SMB worm, for example.

First off, I would recommend giving your Artillery server a juicy, inviting name; something having to do with IT docs, or finance, or maybe even certificates. This should change depending on what's of value in your network. Put on your black hat: What would an evildoer be looking for?

After the installation, Artillery presents any open ports you tell it to, and when someone tries to connect it emails me. It's important to note that running Nmap against the server generates no alerts - only attempting to connect to the port triggers any action.

Do you want to install Artillery and have it automatically run when you restart [y/n]: yes
Do you want to keep Artillery updated? (requires internet) [y/n]: yes
Would you like to start Artillery now? [y/n]: yes

NOTE THAT THIS SERVER WILL NOT HAVE A USEFUL SSH INSTALL (that port is used in the detection scheme), so you will need to open the VMware console to manage it.

Some commands to know:
ipchains -L can show you what IP addresses have been banned (Look for the words 'DROP' and 'all' in the Chain Artillery section). I've added the alias 'artdrop' for my convenience.

As root, if you go to /var/artillery, you can run python remove_ban.py <IP_Address> to unban an IP

View the last bit of the log file: tail -f /var/log/syslog (I've created the alias 'artlast' to do this for me).

If you edit the config file (nano /var/artillery/config), you'll need to restart artillery with python restart_server.py (from the /var/artillery dir)